2.3.3. Set up Authentication

Finally, we need to choose and configure the method for authenticating WebMapReduce users. Currently, there are two options for authentication:

Binding against a Lightweight Directory Access Protocol (LDAP) server. LDAP is a protocol to communicate with servers that maintain user directories. Setting up an LDAP server from scratch can be difficult and is beyond the scope of this guide. Configuring WebMapReduce to use an existing server, however, is fairly simple.
Using Pluggable Authentication Modules (PAM). PAM is a comprehensive system that provides many authentication options (including LDAP) through plugins. If your operating system uses PAM to manage logins (as most modern Linux and many other UNIX-based OSs do), you can copy its configuration to allow users to use the same usernames and passwords that they would to login to the system directly. More complex configurations are possible, but beyond the scope of this guide.

Note

WebMapReduce does not provide user management capabilities of any sort. Adding, removing, and changing accounts is the responsibility of the underlying authentication mechanism.

The next two sections document both of these methods.

2.3.3.1. LDAP

Assuming you have a working LDAP server that is accessible to the webserver, first set the authentication method to LDAP in include/settings.php:

$wmrAuthMethod = 'ldap';

Next set the hostname and port of the LDAP server:

$wmrLDAPHost = 'hostname';
$wmrLDAPPort = port;  // Usually 389

Now set the base distinguished name of users in the directory and the name of the attribute for the users' relative distinguished name:

$wmrLDAPBaseDN = 'base-dn';
$wmrLDAPUser = 'user-rdn-attribute';

Together, these two settings determine the full distinguished name of the user. For example, if base-dn were "ou=users,dc=myorg,dc=org" and user-rdn-attribute were "cn", and the username provided was "jdoe", then the full DN would be "cn=jdoe,ou=users,dc=myorg,dc=org". WebMapReduce uses this DN and the password provided to try to bind against the LDAP server.